Welcome! Log In Create A New Profile

Advanced

[PATCH 04 of 11] SSL: explicit session id length checking

Maxim Dounin
August 25, 2022 11:14PM
# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1661481949 -10800
# Fri Aug 26 05:45:49 2022 +0300
# Node ID f4ae0f4ee928cf20346530e96f1431314ecd0171
# Parent 86d827338fdd13ea899d618b0bcb2be23469cbac
SSL: explicit session id length checking.

Session ids are not expected to be longer than 32 bytes, but this is
theoretically possible with TLSv1.3, where session ids are essentially
arbitrary and sent as session tickets. Since on 64-bit platforms we
use fixed 32-byte buffer for session ids, added an explicit length check
to make sure the buffer is large enough.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3842,6 +3842,14 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
p = buf;
i2d_SSL_SESSION(sess, &p);

+ session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
+
+ /* do not cache sessions with too long session id */
+
+ if (session_id_length > 32) {
+ return 0;
+ }
+
c = ngx_ssl_get_connection(ssl_conn);

ssl_ctx = c->ssl->session_ctx;
@@ -3886,8 +3894,6 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
}
}

- session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
-
#if (NGX_PTR_SIZE == 8)

id = sess_id->sess_id;

_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org
Subject Author Views Posted

[PATCH 00 of 11] SSL session handling patches

Maxim Dounin 700 August 25, 2022 11:14PM

[PATCH 06 of 11] SSL: explicit clearing of expired sessions

Maxim Dounin 312 August 25, 2022 11:14PM

[PATCH 04 of 11] SSL: explicit session id length checking

Maxim Dounin 211 August 25, 2022 11:14PM

Re: [PATCH 04 of 11] SSL: explicit session id length checking

Sergey Kandaurov 198 September 15, 2022 01:42AM

Re: [PATCH 04 of 11] SSL: explicit session id length checking

Maxim Dounin 236 September 16, 2022 05:04PM

Re: [PATCH 04 of 11] SSL: explicit session id length checking

Sergey Kandaurov 199 September 26, 2022 06:14AM

[PATCH 08 of 11] SSL: renamed session ticket key type

Maxim Dounin 208 August 25, 2022 11:14PM

[PATCH 10 of 11] SSL: shorter debug messages about session tickets

Maxim Dounin 199 August 25, 2022 11:14PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 118
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready